A simple command-line tool for encrypting files using AES-256-GCM authenticated encryption and uploading files to Azure Blob Storage via SAS URLs. Files are processed in chunks, making it suitable for large files while maintaining strong security guarantees.
- Python 3.8+
- uv
uv venv
uv syncThis will create a virtual environment and install all dependencies from pyproject.toml, including:
python main.py enc <input_file> <output_file>Example:
python main.py enc secrets.txt secrets.encOutput:
Encryption complete.
SAVE THIS KEY. It is NOT stored anywhere.
Key (hex): a1b2c3d4e5f6...
Key (base64): obLD1OX2...
⚠️ Important: The encryption key is displayed once and is not stored anywhere. Save it immediately — without it, your data cannot be recovered.
python main.py upload <file_name> <sas_url>Example:
python main.py upload secrets.enc "https://myaccount.blob.core.windows.net/mycontainer/secrets.enc?sp=cw&st=..."Output:
Uploading 'secrets.enc'...
Upload complete.
💡 Tip: You can combine both commands to encrypt and then upload a file:
python main.py enc secrets.txt secrets.enc python main.py upload secrets.enc "https://myaccount.blob.core.windows.net/mycontainer/secrets.enc?sp=cw&st=..."
The SAS URL must have write permissions. If the blob already exists, it will be overwritten.
The output file consists of sequential encrypted chunks, each prefixed with its length:
[8-byte chunk length][12-byte IV][ciphertext][16-byte GCM tag]
[8-byte chunk length][12-byte IV][ciphertext][16-byte GCM tag]
...
| Field | Size | Description |
|---|---|---|
| Chunk length | 8 bytes (big-endian) | Total size of IV + ciphertext + tag |
| IV | 12 bytes | Random initialization vector |
| Ciphertext | Variable | Encrypted data (up to 1 MiB) |
| GCM Tag | 16 bytes | Authentication tag for integrity |
.
├── main.py # CLI entry point
├── lib/
│ ├── encrypt.py # Core encryption logic
│ └── upload.py # Azure Blob Storage upload logic
└── README.md
EUROPEAN UNION PUBLIC LICENCE v. 1.2